void INDI::BaseClientQt::sendOneBlob(IBLOB * bp)
{
QString prop;
unsigned char * encblob;
int l;
encblob = (unsigned char *) malloc (4*bp->size/3+4);
l = to64frombits(encblob, reinterpret_cast<const unsigned char *>(bp->blob), bp->size);
prop += QString(" <oneBLOB\n");
prop += QString(" name='%1'\n").arg(bp->name);
prop += QString(" size='%1'\n").arg(QString::number(bp->size));
prop += QString(" enclen='%1'\n").arg(QString::number(l));
prop += QString(" format='%1'>\n").arg(bp->format);
client_socket.write(prop.toLatin1());
size_t written = 0;
size_t towrite = l;
while (written < l)
{
towrite = ((l - written) > 72) ? 72 : l - written;
size_t wr = client_socket.write( reinterpret_cast<const char *>(encblob + written), towrite);
if (wr > 0) written += wr;
if ((written % 72) == 0)
client_socket.write("\n");
}
if ((written % 72) != 0)
client_socket.write("\n");
free (encblob);
client_socket.write(" </oneBLOB>\n");
}
int crammd5(char *challengeb64, char *username, char *password, char *responseb64)
{
int i;
unsigned char digest[MD5_DIGEST_LEN];
unsigned char digascii[MD5_DIGEST_LEN * 2];
unsigned char challenge[(BUF_SZ + 1)];
unsigned char response[(BUF_SZ + 1)];
unsigned char secret[(MD5_BLOCK_LEN + 1)];
memset (secret,0,sizeof(secret));
memset (challenge,0,sizeof(challenge));
strncpy (secret, password, sizeof(secret));
if (!challengeb64 || strlen(challengeb64) > sizeof(challenge) * 3 / 4)
return 0;
from64tobits(challenge, challengeb64);
hmac_md5(challenge, strlen(challenge), secret, strlen(secret), digest);
for (i = 0; i < MD5_DIGEST_LEN; i++) {
digascii[2 * i] = hextab[digest[i] >> 4];
digascii[2 * i + 1] = hextab[(digest[i] & 0x0F)];
}
digascii[MD5_DIGEST_LEN * 2] = '\0';
if (sizeof(response) <= strlen(username) + sizeof(digascii))
return 0;
strncpy (response, username, sizeof(response) - sizeof(digascii) - 2);
strcat (response, " ");
strcat (response, digascii);
to64frombits(responseb64, response, strlen(response));
return 1;
}
char *EncodeBase64(char *Return, char *Text, int len)
{
char *RetStr;
RetStr=SetStrLen(Return,len *2);
to64frombits(RetStr,Text,len);
return(RetStr);
}
char *HTTPHeadersAppendAuth(char *RetStr, char *AuthHeader, HTTPInfoStruct *Info, HTTPAuthStruct *AuthInfo)
{
char *SendStr=NULL, *Tempstr=NULL;
char *HA1=NULL, *HA2=NULL, *ClientNonce=NULL, *Digest=NULL;
int i, AuthCounter;
if (! AuthInfo) return(RetStr);
SendStr=CatStr(RetStr,"");
//Authentication by an opaque authentication token that is handled
//elsewhere, and is set as the 'Password'
if (AuthInfo->Flags & HTTP_AUTH_TOKEN)
{
SendStr=MCatStr(SendStr,AuthHeader,": ",AuthInfo->Password,"\r\n",NULL);
AuthInfo->Flags |= HTTP_SENT_AUTH;
}
else if (AuthInfo->Flags & HTTP_AUTH_DIGEST)
{
AuthCounter++;
Tempstr=FormatStr(Tempstr,"%s:%s:%s",AuthInfo->Logon,AuthInfo->AuthRealm,AuthInfo->Password);
HashBytes(&HA1,"md5",Tempstr,StrLen(Tempstr),0);
Tempstr=FormatStr(Tempstr,"%s:%s",Info->Method,Info->Doc);
HashBytes(&HA2,"md5",Tempstr,StrLen(Tempstr),0);
for (i=0; i < 10; i++)
{
Tempstr=FormatStr(Tempstr,"%x",rand() % 255);
ClientNonce=CatStr(ClientNonce,Tempstr);
}
Tempstr=FormatStr(Tempstr,"%s:%s:%08d:%s:auth:%s",HA1,AuthInfo->AuthNonce,AuthCounter,ClientNonce,HA2);
HashBytes(&Digest,"md5",Tempstr,StrLen(Tempstr),0);
Tempstr=FormatStr(Tempstr,"%s: Digest username=\"%s\",realm=\"%s\",nonce=\"%s\",uri=\"%s\",qop=auth,nc=%08d,cnonce=\"%s\",response=\"%s\"\r\n",AuthHeader,AuthInfo->Logon,AuthInfo->AuthRealm,AuthInfo->AuthNonce,Info->Doc,AuthCounter,ClientNonce,Digest);
SendStr=CatStr(SendStr,Tempstr);
AuthInfo->Flags |= HTTP_SENT_AUTH;
}
else
{
Tempstr=CopyStr(Tempstr,AuthInfo->Logon);
Tempstr=CatStr(Tempstr,":");
Tempstr=CatStr(Tempstr,AuthInfo->Password);
Digest=SetStrLen(Digest,StrLen(Tempstr) *2);
to64frombits(Digest,Tempstr,strlen(Tempstr));
SendStr=MCatStr(SendStr,AuthHeader,": Basic ",Digest,"\r\n",NULL);
AuthInfo->Flags |= HTTP_SENT_AUTH;
}
DestroyString(HA1);
DestroyString(HA2);
DestroyString(ClientNonce);
DestroyString(Digest);
DestroyString(Tempstr);
return(SendStr);
}
TEST(CORE_BASE64, Test_to64frombits)
{
int len = 0, size = sizeof("FOOBARBAZ") - 1 * 4 / 3 + 4 + 1;
const unsigned char convert[] = "FOOBARBAZ";
unsigned char *p_outbuf = nullptr;
p_outbuf = (unsigned char *)calloc(1, size);
ASSERT_TRUE(p_outbuf);
len = to64frombits(p_outbuf, convert, sizeof(convert) - 1);
ASSERT_EQ(sizeof("Rk9PQkFSQkFa") - 1, len);
ASSERT_STREQ("Rk9PQkFSQkFa", (const char *)p_outbuf);
free(p_outbuf);
}
char *EncodeHash(char *Buffer, char *Digest, int len, int Encoding)
{
char *Tempstr=NULL, *RetStr=NULL;
int i;
RetStr=SetStrLen(Buffer,128);
if (Encoding==ENCODE_BASE64) to64frombits(RetStr,Digest,len);
else
{
for (i=0; i < len; i++)
{
Tempstr=FormatStr(Tempstr,"%02x",Digest[i] & 255);
RetStr=CatStr(RetStr,Tempstr);
}
}
DestroyString(Tempstr);
return(RetStr);
}
int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *type, ptr_header_node ptr_head) {
char *empty = "";
char *login, *pass, *buffer, buffer2[500];
char *header;
char *ptr, *fooptr;
int32_t complete_line = 0, buffer_size;
char tmpreplybuf[1024] = "", *tmpreplybufptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (strcmp(type, "POST") == 0)
add_header(&ptr_head, "Content-Length", "0", HEADER_TYPE_DEFAULT);
header = stringify_headers(&ptr_head);
buffer_size = strlen(header) + 500;
if(!(buffer = malloc(buffer_size))) {
free(header);
return 3;
}
// we must reset this if buf is NULL and we do MD5 digest
if (http_buf == NULL && http_auth_mechanism == AUTH_DIGESTMD5)
http_auth_mechanism = AUTH_BASIC;
if (use_proxy > 0 && proxy_count > 0)
selected_proxy = random() % proxy_count;
switch (http_auth_mechanism) {
case AUTH_BASIC:
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
/* again: no snprintf to be portable. don't worry, buffer can't overflow */
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buffer2, header);
else
sprintf(buffer, "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header);
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
break;
#ifdef LIBOPENSSL
case AUTH_DIGESTMD5:{
char *pbuffer;
pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), buffer_size - 1);
buffer[buffer_size - 1] = '\0';
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header);
if (fooptr == NULL) {
free(buffer);
free(header);
return 3;
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer2);
strcpy(buffer, buffer2);
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
char *pos = NULL;
//send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
/* to be portable, no snprintf, buffer is big enough so it can't overflow */
//send the first..
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, header);
else
sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget,
buf1, header);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
free(buffer);
free(header);
return 1;
}
//receive challenge
if (http_buf != NULL)
free(http_buf);
http_buf = hydra_receive_line(s);
if (http_buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
free(buffer);
free(header);
return 3;
}
pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM ");
if (pos != NULL) {
char *str;
pos += 23;
if ((str = strchr(pos, '\r')) != NULL) {
pos[str - pos] = 0;
}
if ((str = strchr(pos, '\n')) != NULL) {
pos[str - pos] = 0;
}
} else {
hydra_report(stderr, "[ERROR] It is not NTLM authentication type\n");
return 3;
}
//recover challenge
from64tobits((char *) buf1, pos);
free(http_buf);
http_buf = NULL;
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
//create the auth response
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, header);
else
sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget,
buf1, header);
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
}
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
free(buffer);
free(header);
return 1;
}
if (http_buf != NULL)
free(http_buf);
http_buf = hydra_receive_line(s);
complete_line = 0;
tmpreplybuf[0] = 0;
while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (index(http_buf, '\n') == NULL && complete_line == 0))) {
if (debug) printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf);
if (tmpreplybuf[0] == 0 && strstr(http_buf, "HTTP/1.") != NULL) {
strncpy(tmpreplybuf, http_buf, sizeof(tmpreplybuf) - 1);
tmpreplybuf[sizeof(tmpreplybuf) - 1] = 0;
free(http_buf);
http_buf = hydra_receive_line(s);
} else if (tmpreplybuf[0] != 0) {
complete_line = 1;
if ((tmpreplybufptr = malloc(strlen(tmpreplybuf) + strlen(http_buf) + 1)) != NULL) {
strcpy(tmpreplybufptr, tmpreplybuf);
strcat(tmpreplybufptr, http_buf);
free(http_buf);
http_buf = tmpreplybufptr;
if (debug) printf("http_buf now: %s\n", http_buf);
}
} else {
free(http_buf);
http_buf = hydra_receive_line(s);
}
}
//if server cut the connection, just exit cleanly or
//this will be an infinite loop
if (http_buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
free(buffer);
free(header);
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_buf);
ptr = ((char *) index(http_buf, ' '));
if (ptr != NULL)
ptr++;
if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) {
hydra_report_found_host(port, ip, "www", fp);
hydra_completed_pair_found();
if (http_buf != NULL) {
free(http_buf);
http_buf = NULL;
}
} else {
if (ptr != NULL && *ptr != '4')
fprintf(stderr, "[WARNING] Unusual return code: %.3s for %s:%s\n", (char *) ptr, login, pass);
//the first authentication type failed, check the type from server header
if ((hydra_strcasestr(http_buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) {
//seems the auth supported is not Basic scheme so testing further
int32_t find_auth = 0;
if (hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM") != NULL) {
http_auth_mechanism = AUTH_NTLM;
find_auth = 1;
}
#ifdef LIBOPENSSL
if (hydra_strcasestr(http_buf, "WWW-Authenticate: Digest") != NULL) {
http_auth_mechanism = AUTH_DIGESTMD5;
find_auth = 1;
}
#endif
if (find_auth) {
// free(http_buf);
// http_buf = NULL;
free(buffer);
free(header);
return 1;
}
}
hydra_completed_pair();
}
// free(http_buf);
// http_buf = NULL;
free(buffer);
free(header);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
char *header = ""; /* XXX TODO */
char *ptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
switch (http_auth_mechanism) {
case AUTH_BASIC:
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
/* again: no snprintf to be portable. dont worry, buffer cant overflow */
if (use_proxy == 1 && proxy_authentication != NULL)
sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication, header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buffer2, header);
else
sprintf(buffer, "%s %.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header);
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
break;
#ifdef LIBOPENSSL
case AUTH_DIGESTMD5:{
char *pbuffer;
pbuffer = hydra_strcasestr(buf, "WWW-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, type, webtarget, webport, header);
if (buffer2 == NULL) {
return 3;
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer2);
strcpy(buffer, buffer2);
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
char *pos = NULL;
//send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
/* to be portable, no snprintf, buffer is big enough so it cant overflow */
//send the first..
if (use_proxy == 1 && proxy_authentication != NULL)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication, header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, header);
else
sprintf(buffer, "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, buf1, header);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive challenge
buf = hydra_receive_line(s);
while (buf != NULL && (pos = hydra_strcasestr(buf, "WWW-Authenticate: NTLM ")) == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (buf == NULL)
return 1;
if (pos != NULL) {
char *str;
pos+=23;
if ((str=strchr(pos, '\r')) != NULL) {
pos[str - pos] = 0;
}
if ((str=strchr(pos, '\n')) != NULL) {
pos[str - pos] = 0; }
}
//recover challenge
from64tobits((char *) buf1, pos);
free(buf);
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
//create the auth response
if (use_proxy == 1 && proxy_authentication != NULL)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication, header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, header);
else
sprintf(buffer, "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, buf1, header);
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
}
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
//if server cut the connection, just exit cleanly or
//this will be an infinite loop
if (buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", buf);
ptr = ((char *) index(buf, ' ')) + 1;
if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) {
hydra_report_found_host(port, ip, "www", fp);
hydra_completed_pair_found();
} else {
if (ptr != NULL && *ptr != '4')
fprintf(stderr, "[WARNING] Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass);
//the first authentication type failed, check the type from server header
if ((hydra_strcasestr(buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) {
//seems the auth supported is not Basic shceme so testing further
int find_auth = 0;
if (hydra_strcasestr(buf, "WWW-Authenticate: NTLM") != NULL) {
http_auth_mechanism = AUTH_NTLM;
find_auth = 1;
}
#ifdef LIBOPENSSL
if (hydra_strcasestr(buf, "WWW-Authenticate: Digest") != NULL) {
http_auth_mechanism = AUTH_DIGESTMD5;
find_auth = 1;
}
#endif
if (find_auth) {
free(buf);
return 1;
}
}
hydra_completed_pair();
}
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "\"\"";
char *login, *pass, buffer[500], buffer2[500];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (hydra_data_ready(s) > 0) {
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
free(buf);
}
switch (p->pop3_auth_mechanism) {
#ifdef LIBOPENSSL
case AUTH_APOP:{
MD5_CTX c;
unsigned char md5_raw[MD5_DIGEST_LENGTH];
int i;
char *pbuffer = buffer2;
MD5_Init(&c);
MD5_Update(&c, apop_challenge, strlen(apop_challenge));
MD5_Update(&c, pass, strlen(pass));
MD5_Final(md5_raw, &c);
for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
sprintf(pbuffer, "%02x", md5_raw[i]);
pbuffer += 2;
}
sprintf(buffer, "APOP %s %s\r\n", login, buffer2);
}
break;
#endif
case AUTH_LOGIN:{
sprintf(buffer, "AUTH LOGIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, login);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
}
break;
case AUTH_PLAIN:{
sprintf(buffer, "AUTH PLAIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 PLAIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
memset(buffer, 0, sizeof(buffer));
sasl_plain(buffer, login, pass);
sprintf(buffer, "%.250s\r\n", buffer);
}
break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:
case AUTH_CRAMSHA1:
case AUTH_CRAMSHA256:{
int rc = 0;
char *preplogin;
rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
switch (p->pop3_auth_mechanism) {
case AUTH_CRAMMD5:
sprintf(buffer, "AUTH CRAM-MD5\r\n");
break;
case AUTH_CRAMSHA1:
sprintf(buffer, "AUTH CRAM-SHA1\r\n");
break;
case AUTH_CRAMSHA256:
sprintf(buffer, "AUTH CRAM-SHA256\r\n");
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
//get the one-time BASE64 encoded challenge
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
switch (p->pop3_auth_mechanism) {
case AUTH_CRAMMD5:
hydra_report(stderr, "[ERROR] POP3 CRAM-MD5 AUTH : %s\n", buf);
break;
case AUTH_CRAMSHA1:
hydra_report(stderr, "[ERROR] POP3 CRAM-SHA1 AUTH : %s\n", buf);
break;
case AUTH_CRAMSHA256:
hydra_report(stderr, "[ERROR] POP3 CRAM-SHA256 AUTH : %s\n", buf);
break;
}
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 2);
free(buf);
memset(buffer2, 0, sizeof(buffer2));
switch (p->pop3_auth_mechanism) {
case AUTH_CRAMMD5:{
sasl_cram_md5(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
case AUTH_CRAMSHA1:{
sasl_cram_sha1(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
case AUTH_CRAMSHA256:{
sasl_cram_sha256(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
}
hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
sprintf(buffer, "%.250s\r\n", buffer);
free(preplogin);
}
break;
case AUTH_DIGESTMD5:{
sprintf(buffer, "AUTH DIGEST-MD5\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 DIGEST-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf);
free(buf);
if (verbose)
hydra_report(stderr, "[VERBOSE] S: %s\n", buffer);
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "pop", NULL, 0, NULL);
if (buffer2 == NULL)
return 3;
if (verbose)
hydra_report(stderr, "[VERBOSE] C: %s\n", buffer2);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
//Send auth request
sprintf(buffer, "AUTH NTLM\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 NTLM AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
//send auth and receive challenge
//send auth request: lst the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
sprintf(buffer, "%s\r\n", buf1);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
//recover challenge
from64tobits((char *) buf1, buf + 2);
free(buf);
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
default:
sprintf(buffer, "USER %.250s\r\n", login);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 protocol or service shutdown: %s\n", buf);
free(buf);
return (3);
}
free(buf);
sprintf(buffer, "PASS %.250s\r\n", pass);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL) {
return 4;
}
if (buf[0] == '+') {
hydra_report_found_host(port, ip, "pop3", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
/* special AS/400 hack */
if (strstr(buf, "CPF2204") != NULL || strstr(buf, "CPF22E3") != NULL || strstr(buf, "CPF22E4") != NULL || strstr(buf, "CPF22E5") != NULL) {
hydra_completed_pair_skip();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
/*
ssmtp() -- send the message (exactly one) from stdin to the mailhub SMTP port
*/
int ssmtp(char *argv[])
{
char b[(BUF_SZ + 2)], *buf = b+1, *p, *q;
#ifdef MD5AUTH
char challenge[(BUF_SZ + 1)];
#endif
struct passwd *pw;
int i, sock;
uid_t uid;
bool_t minus_v_save, leadingdot, linestart = True;
int timeout = 0;
int bufsize = sizeof(b)-1;
b[0] = '.';
outbytes = 0;
ht = &headers;
uid = getuid();
if((pw = getpwuid(uid)) == (struct passwd *)NULL) {
die("Could not find password entry for UID %d", uid);
}
get_arpadate(arpadate);
if(read_config() == False) {
log_event(LOG_INFO, "%s not found", config_file);
}
if((p = strtok(pw->pw_gecos, ";,"))) {
if((gecos = strdup(p)) == (char *)NULL) {
die("ssmtp() -- strdup() failed");
}
}
revaliases(pw);
/* revaliases() may have defined this */
if(uad == (char *)NULL) {
uad = append_domain(pw->pw_name);
}
rt = &rcpt_list;
header_parse(stdin);
#if 1
/* With FromLineOverride=YES set, try to recover sane MAIL FROM address */
uad = append_domain(uad);
#endif
from = from_format(uad, override_from);
/* Now to the delivery of the message */
(void)signal(SIGALRM, (void(*)())handler); /* Catch SIGALRM */
(void)alarm((unsigned) MAXWAIT); /* Set initial timer */
if(setjmp(TimeoutJmpBuf) != 0) {
/* Then the timer has gone off and we bail out */
die("Connection lost in middle of processing");
}
if((sock = smtp_open(mailhost, port)) == -1) {
die("Cannot open %s:%d", mailhost, port);
}
else if (use_starttls == False) /* no initial response after STARTTLS */
{
if(smtp_okay(sock, buf) == False)
die("Invalid response SMTP server");
}
/* If user supplied username and password, then try ELHO */
if(auth_user) {
outbytes += smtp_write(sock, "EHLO %s", hostname);
}
else {
outbytes += smtp_write(sock, "HELO %s", hostname);
}
(void)alarm((unsigned) MEDWAIT);
if(smtp_okay(sock, buf) == False) {
die("%s (%s)", buf, hostname);
}
/* Try to log in if username was supplied */
if(auth_user) {
#ifdef MD5AUTH
if(auth_pass == (char *)NULL) {
auth_pass = strdup("");
}
if(auth_method && strcasecmp(auth_method, "cram-md5") == 0) {
outbytes += smtp_write(sock, "AUTH CRAM-MD5");
(void)alarm((unsigned) MEDWAIT);
if(smtp_read(sock, buf) != 3) {
die("Server rejected AUTH CRAM-MD5 (%s)", buf);
}
strncpy(challenge, strchr(buf,' ') + 1, sizeof(challenge));
memset(buf, 0, bufsize);
crammd5(challenge, auth_user, auth_pass, buf);
}
else {
#endif
memset(buf, 0, bufsize);
to64frombits(buf, auth_user, strlen(auth_user));
if (use_oldauth) {
outbytes += smtp_write(sock, "AUTH LOGIN %s", buf);
}
else {
outbytes += smtp_write(sock, "AUTH LOGIN");
(void)alarm((unsigned) MEDWAIT);
if(smtp_read(sock, buf) != 3) {
die("Server didn't like our AUTH LOGIN (%s)", buf);
}
/* we assume server asked us for Username */
memset(buf, 0, bufsize);
to64frombits(buf, auth_user, strlen(auth_user));
outbytes += smtp_write(sock, buf);
}
(void)alarm((unsigned) MEDWAIT);
if(smtp_read(sock, buf) != 3) {
die("Server didn't accept AUTH LOGIN (%s)", buf);
}
memset(buf, 0, bufsize);
to64frombits(buf, auth_pass, strlen(auth_pass));
#ifdef MD5AUTH
}
#endif
/* We do NOT want the password output to STDERR
* even base64 encoded.*/
minus_v_save = minus_v;
minus_v = False;
outbytes += smtp_write(sock, "%s", buf);
minus_v = minus_v_save;
(void)alarm((unsigned) MEDWAIT);
if(smtp_okay(sock, buf) == False) {
die("Authorization failed (%s)", buf);
}
}
/* Send "MAIL FROM:" line */
outbytes += smtp_write(sock, "MAIL FROM:<%s>", uad);
(void)alarm((unsigned) MEDWAIT);
if(smtp_okay(sock, buf) == 0) {
die("%s", buf);
}
/* Send all the To: adresses */
/* Either we're using the -t option, or we're using the arguments */
if(minus_t) {
if(rcpt_list.next == (rcpt_t *)NULL) {
die("No recipients specified although -t option used");
}
rt = &rcpt_list;
while(rt->next) {
p = rcpt_remap(rt->string);
outbytes += smtp_write(sock, "RCPT TO:<%s>", p);
(void)alarm((unsigned)MEDWAIT);
if(smtp_okay(sock, buf) == 0) {
die("RCPT TO:<%s> (%s)", p, buf);
}
rt = rt->next;
}
}
else {
for(i = 1; (argv[i] != NULL); i++) {
p = strtok(argv[i], ",");
while(p) {
/* RFC822 Address -> "foo@bar" */
q = rcpt_remap(addr_parse(p));
outbytes += smtp_write(sock, "RCPT TO:<%s>", q);
(void)alarm((unsigned) MEDWAIT);
if(smtp_okay(sock, buf) == 0) {
die("RCPT TO:<%s> (%s)", q, buf);
}
p = strtok(NULL, ",");
}
}
}
/* Send DATA */
outbytes += smtp_write(sock, "DATA");
(void)alarm((unsigned) MEDWAIT);
if(smtp_read(sock, buf) != 3) {
/* Oops, we were expecting "354 send your data" */
die("%s", buf);
}
outbytes += smtp_write(sock,
"Received: by %s (sSMTP sendmail emulation); %s", hostname, arpadate);
if(have_from == False) {
outbytes += smtp_write(sock, "From: %s", from);
}
if(have_date == False) {
outbytes += smtp_write(sock, "Date: %s", arpadate);
}
#ifdef HASTO_OPTION
if(have_to == False) {
outbytes += smtp_write(sock, "To: postmaster");
}
#endif
ht = &headers;
while(ht->next) {
outbytes += smtp_write(sock, "%s", ht->string);
ht = ht->next;
}
(void)alarm((unsigned) MEDWAIT);
/* End of headers, start body */
outbytes += smtp_write(sock, "");
/*prevent blocking on pipes, we really shouldnt be using
stdio functions like fgets in the first place */
fcntl(STDIN_FILENO,F_SETFL,O_NONBLOCK);
while(!feof(stdin)) {
if (!fgets(buf, bufsize, stdin)) {
/* if nothing was received, then no transmission
* over smtp should be done */
sleep(1);
/* don't hang forever when reading from stdin */
if (++timeout >= MEDWAIT) {
log_event(LOG_ERR, "killed: timeout on stdin while reading body -- message saved to dead.letter.");
die("Timeout on stdin while reading body");
}
continue;
}
/* Trim off \n, double leading .'s */
leadingdot = standardise(buf, &linestart);
if (linestart || feof(stdin)) {
linestart = True;
outbytes += smtp_write(sock, "%s", leadingdot ? b : buf);
} else {
if (log_level > 0) {
log_event(LOG_INFO, "Sent a very long line in chunks");
}
if (leadingdot) {
outbytes += fd_puts(sock, b, sizeof(b));
} else {
outbytes += fd_puts(sock, buf, bufsize);
}
}
(void)alarm((unsigned) MEDWAIT);
}
if(!linestart) {
smtp_write(sock, "");
}
/* End of body */
outbytes += smtp_write(sock, ".");
(void)alarm((unsigned) MAXWAIT);
if(smtp_okay(sock, buf) == 0) {
die("%s", buf);
}
/* Close connection */
(void)signal(SIGALRM, SIG_IGN);
outbytes += smtp_write(sock, "QUIT");
(void)smtp_okay(sock, buf);
(void)close(sock);
log_event(LOG_INFO, "Sent mail for %s (%s) uid=%d username=%s outbytes=%d",
from_strip(uad), buf, uid, pw->pw_name, outbytes);
return(0);
}
int start_http_proxy(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
char url[210], host[30];
char *header = ""; /* XXX TODO */
char *ptr, *fooptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (miscptr == NULL) {
strcpy(url, "http://www.microsoft.com/");
strcpy(host, "Host: www.microsoft.com\r\n");
} else {
sprintf(url, "%.200s", miscptr);
ptr = strstr(miscptr, "://"); // :// check is in hydra.c
sprintf(host, "Host: %.200s", ptr + 3);
if ((ptr = index(host, '/')) != NULL)
*ptr = 0;
if ((ptr = index(host + 6, ':')) != NULL && host[0] != '[')
*ptr = 0;
strcat(host, "\r\n");
}
if (http_proxy_auth_mechanism != AUTH_BASIC && (http_proxy_auth_mechanism == AUTH_ERROR || http_proxy_buf == NULL)) {
//send dummy request
sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 3;
//receive first 40x
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (http_proxy_buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (http_proxy_buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Proxy seems not to require authentication\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
//after the first query we should have been disconnected from web server
s = hydra_disconnect(s);
if ((options & OPTION_SSL) == 0) {
s = hydra_connect_tcp(ip, port);
} else {
s = hydra_connect_ssl(ip, port, hostname);
}
}
if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Basic") != NULL) {
http_proxy_auth_mechanism = AUTH_BASIC;
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 3;
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
//if server cut the connection, just exit cleanly or
//this will be an infinite loop
if (http_proxy_buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
} else {
if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM") != NULL) {
unsigned char buf1[4096];
unsigned char buf2[4096];
char *pos = NULL;
http_proxy_auth_mechanism = AUTH_NTLM;
//send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
/* to be portable, no snprintf, buffer is big enough so it cant overflow */
//send the first..
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 3;
//receive challenge
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && (pos = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM ")) == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (pos != NULL) {
char *str;
pos += 25;
if ((str = strchr(pos, '\r')) != NULL) {
pos[str - pos] = 0;
}
if ((str = strchr(pos, '\n')) != NULL) {
pos[str - pos] = 0;
}
}
//recover challenge
if (http_proxy_buf != NULL && strlen(http_proxy_buf) >= 4) {
from64tobits((char *) buf1, pos);
free(http_proxy_buf);
http_proxy_buf = NULL;
return 3;
}
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 3;
if (http_proxy_buf != NULL)
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (http_proxy_buf == NULL)
return 3;
} else {
#ifdef LIBOPENSSL
if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) {
char *pbuffer;
http_proxy_auth_mechanism = AUTH_DIGESTMD5;
pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
pbuffer = NULL;
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (fooptr == NULL)
return 3;
if (debug)
hydra_report(stderr, "C:%s\n", buffer2);
if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0)
return 3;
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (debug && http_proxy_buf != NULL)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
if (http_proxy_buf == NULL)
return 3;
} else
#endif
{
if (http_proxy_buf != NULL) {
// buf[strlen(http_proxy_buf) - 1] = '\0';
hydra_report(stderr, "Unsupported Auth type:\n%s\n", http_proxy_buf);
free(http_proxy_buf);
http_proxy_buf = NULL;
} else {
hydra_report(stderr, "Unsupported Auth type\n");
}
return 3;
}
}
}
ptr = ((char *) index(http_proxy_buf, ' ')) + 1;
if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2')) {
hydra_report_found_host(port, ip, "http-proxy", fp);
hydra_completed_pair_found();
free(http_proxy_buf);
http_proxy_buf = NULL;
} else {
if (*ptr != '4')
hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char) *(index(http_proxy_buf, ' ') + 1), login, pass);
else if (verbose && *(ptr + 2) == '3')
hydra_report(stderr, "[INFO] Potential success, could be false positive: %s:%s\n", login, pass);
hydra_completed_pair();
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
}
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
if (http_proxy_buf != NULL)
return 2;
else
return 1;
}
/*
RFC 5802: Salted Challenge Response Authentication Mechanism
Note: SCRAM is a client-first SASL mechanism
I want to thx Simon Josefsson for his public server test,
and my girlfriend that let me work on that 2 whole nights ;)
clientfirstmessagebare must be at least 500 bytes in size!
*/
void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, char *serverfirstmessage) {
int saltlen = 0;
int iter = 4096;
char *salt, *nonce, *ic;
unsigned int resultlen = 0;
char clientfinalmessagewithoutproof[200];
char buffer[500];
unsigned char SaltedPassword[SHA_DIGEST_LENGTH];
unsigned char ClientKey[SHA_DIGEST_LENGTH];
unsigned char StoredKey[SHA_DIGEST_LENGTH];
unsigned char ClientSignature[SHA_DIGEST_LENGTH];
char AuthMessage[1024];
char ClientProof[SHA_DIGEST_LENGTH];
unsigned char clientproof_b64[50];
char *preppasswd;
int rc = sasl_saslprep(pass, 0, &preppasswd);
if (rc) {
result = NULL;
return;
}
/*client-final-message */
if (debug)
hydra_report(stderr, "DEBUG S: %s\n", serverfirstmessage);
//r=hydra28Bo7kduPpAZLzhRQiLxc8Y9tiwgw+yP,s=ldDgevctH+Kg7b8RnnA3qA==,i=4096
if (strstr(serverfirstmessage, "r=") == NULL) {
hydra_report(stderr, "Error: Can't understand server message\n");
free(preppasswd);
result = NULL;
return;
}
strncpy(buffer, serverfirstmessage, sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0';
nonce = strtok(buffer, ",");
//continue to search from the previous successful call
salt = strtok(NULL, ",");
ic = strtok(NULL, ",");
iter = atoi(ic + 2);
if (iter == 0) {
hydra_report(stderr, "Error: Can't understand server response\n");
free(preppasswd);
result = NULL;
return;
}
if ((nonce != NULL) && (strlen(nonce) > 2))
snprintf(clientfinalmessagewithoutproof, sizeof(clientfinalmessagewithoutproof), "c=biws,%s", nonce);
else {
hydra_report(stderr, "Error: Could not identify server nonce value\n");
free(preppasswd);
result = NULL;
return;
}
if ((salt != NULL) && (strlen(salt) > 2) && (strlen(salt) <= sizeof(buffer)))
//s=ghgIAfLl1+yUy/Xl1WD5Tw== remove the header s=
strcpy(buffer, salt + 2);
else {
hydra_report(stderr, "Error: Could not identify server salt value\n");
free(preppasswd);
result = NULL;
return;
}
/* SaltedPassword := Hi(Normalize(password), salt, i) */
saltlen = from64tobits((char *) salt, buffer);
if (PKCS5_PBKDF2_HMAC_SHA1(preppasswd, strlen(preppasswd), (unsigned char *) salt, saltlen, iter, SHA_DIGEST_LENGTH, SaltedPassword) != 1) {
hydra_report(stderr, "Error: Failed to generate PBKDF2\n");
free(preppasswd);
result = NULL;
return;
}
/* ClientKey := HMAC(SaltedPassword, "Client Key") */
#define CLIENT_KEY "Client Key"
HMAC(EVP_sha1(), SaltedPassword, SHA_DIGEST_LENGTH, (const unsigned char *) CLIENT_KEY, strlen(CLIENT_KEY), ClientKey, &resultlen);
/* StoredKey := H(ClientKey) */
SHA1((const unsigned char *) ClientKey, SHA_DIGEST_LENGTH, StoredKey);
/* ClientSignature := HMAC(StoredKey, AuthMessage) */
snprintf(AuthMessage, 500, "%s,%s,%s", clientfirstmessagebare, serverfirstmessage, clientfinalmessagewithoutproof);
HMAC(EVP_sha1(), StoredKey, SHA_DIGEST_LENGTH, (const unsigned char *) AuthMessage, strlen(AuthMessage), ClientSignature, &resultlen);
/* ClientProof := ClientKey XOR ClientSignature */
xor(ClientProof, (char *) ClientKey, (char *) ClientSignature, 20);
to64frombits(clientproof_b64, (const unsigned char *) ClientProof, 20);
snprintf(result, 500, "%s,p=%s", clientfinalmessagewithoutproof, clientproof_b64);
if (debug)
hydra_report(stderr, "DEBUG C: %s\n", result);
free(preppasswd);
}
int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (hydra_data_ready(s)) {
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
free(buf);
}
switch (imap_auth_mechanism) {
case AUTH_LOGIN:
sprintf(buffer, "%d AUTHENTICATE LOGIN\r\n", counter);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, login);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
break;
case AUTH_PLAIN:
sprintf(buffer, "%d AUTHENTICATE PLAIN\r\n", counter);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
hydra_report(stderr, "[ERROR] IMAP PLAIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
memset(buffer, 0, sizeof(buffer));
sasl_plain(buffer, login, pass);
sprintf(buffer, "%.250s\r\n", buffer);
break;
#ifdef LIBOPENSSLNEW
case AUTH_CRAMMD5:
case AUTH_CRAMSHA1:
case AUTH_CRAMSHA256:{
int rc = 0;
char *preplogin;
rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
switch (imap_auth_mechanism) {
case AUTH_CRAMMD5:
sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter);
break;
case AUTH_CRAMSHA1:
sprintf(buffer, "%d AUTHENTICATE CRAM-SHA1\r\n", counter);
break;
case AUTH_CRAMSHA256:
sprintf(buffer, "%d AUTHENTICATE CRAM-SHA256\r\n", counter);
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
//get the one-time BASE64 encoded challenge
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
switch (imap_auth_mechanism) {
case AUTH_CRAMMD5:
hydra_report(stderr, "[ERROR] IMAP CRAM-MD5 AUTH : %s\n", buf);
break;
case AUTH_CRAMSHA1:
hydra_report(stderr, "[ERROR] IMAP CRAM-SHA1 AUTH : %s\n", buf);
break;
case AUTH_CRAMSHA256:
hydra_report(stderr, "[ERROR] IMAP CRAM-SHA256 AUTH : %s\n", buf);
break;
}
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 2);
free(buf);
memset(buffer2, 0, sizeof(buffer2));
switch (imap_auth_mechanism) {
case AUTH_CRAMMD5:{
sasl_cram_md5(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
case AUTH_CRAMSHA1:{
sasl_cram_sha1(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
case AUTH_CRAMSHA256:{
sasl_cram_sha256(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
}
hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
sprintf(buffer, "%.250s\r\n", buffer);
free(preplogin);
}
break;
case AUTH_DIGESTMD5:{
sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
hydra_report(stderr, "[ERROR] IMAP DIGEST-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf);
free(buf);
if (verbose)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "imap", NULL, 0, NULL);
if (buffer2 == NULL)
return 3;
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
case AUTH_SCRAMSHA1:{
char clientfirstmessagebare[200];
char serverfirstmessage[200];
char *preplogin;
int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
sprintf(buffer, "%d AUTHENTICATE SCRAM-SHA-1\r\n", counter);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
hydra_report(stderr, "[ERROR] IMAP SCRAM-SHA1 AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin);
free(preplogin);
memset(buffer2, 0, sizeof(buffer2));
sprintf(buffer2, "n,,%.200s", clientfirstmessagebare);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
snprintf(buffer, sizeof(buffer), "%s\r\n", buffer2);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
if (verbose || debug) hydra_report(stderr, "[ERROR] Not a valid server challenge\n");
free(buf);
return 1;
} else {
/* recover server challenge */
memset(buffer, 0, sizeof(buffer));
//+ cj1oeWRyYU9VNVZqcHQ5RjNqcmVXRVFWTCxzPWhGbTNnRGw0akdidzJVVHosaT00MDk2
from64tobits((char *) buffer, buf + 2);
free(buf);
strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1);
serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0';
memset(buffer2, 0, sizeof(buffer2));
sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage);
if (buffer2 == NULL) {
hydra_report(stderr, "[ERROR] Can't compute client response\n");
return 1;
}
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
//Send auth request
sprintf(buffer, "%d AUTHENTICATE NTLM\r\n", counter);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
hydra_report(stderr, "[ERROR] IMAP NTLM AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
//send auth and receive challenge
//send auth request: lst the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
sprintf(buffer, "%s\r\n", buf1);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
//recover challenge
from64tobits((char *) buf1, buf + 2);
free(buf);
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
default:
//clear authentication
sprintf(buffer, "%d LOGIN \"%.100s\" \"%.100s\"\r\n", counter, login, pass);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] %s\n", buf);
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
if (counter == 4)
return 1;
return (2);
}
free(buf);
hydra_report_found_host(port, ip, "imap", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
char *nntp_read_server_capacity(int sock) {
char *ptr = NULL;
int resp = 0;
char *buf = NULL;
do {
if (buf != NULL)
free(buf);
ptr = buf = hydra_receive_line(sock);
if (buf != NULL) {
if (isdigit((int) buf[0]) && buf[3] == ' ')
resp = 1;
else {
if (buf[strlen(buf) - 1] == '\n')
buf[strlen(buf) - 1] = 0;
if (buf[strlen(buf) - 1] == '\r')
buf[strlen(buf) - 1] = 0;
#ifdef NO_RINDEX
if ((ptr = strrchr(buf, '\n')) != NULL) {
#else
if ((ptr = rindex(buf, '\n')) != NULL) {
#endif
ptr++;
if (isdigit((int) *ptr) && *(ptr + 3) == ' ')
resp = 1;
}
}
}
} while (buf != NULL && resp == 0);
return buf;
}
int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "\"\"";
char *login, *pass, buffer[300], buffer2[500];
int i = 1;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (i > 0 && hydra_data_ready(s) > 0)
i = hydra_recv(s, buffer, 300);
switch (nntp_auth_mechanism) {
case AUTH_LOGIN:
sprintf(buffer, "AUTHINFO SASL LOGIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, login);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
break;
case AUTH_PLAIN:
sprintf(buffer, "AUTHINFO SASL PLAIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP PLAIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
memset(buffer, 0, sizeof(buffer));
sasl_plain(buffer, login, pass);
sprintf(buffer, "%.250s\r\n", buffer);
break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:{
int rc = 0;
char *preplogin;
rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
sprintf(buffer, "AUTHINFO SASL CRAM-MD5\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
//get the one-time BASE64 encoded challenge
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP CRAM-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 4);
free(buf);
memset(buffer2, 0, sizeof(buffer2));
sasl_cram_md5(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
sprintf(buffer, "%.250s\r\n", buffer);
free(preplogin);
}
break;
case AUTH_DIGESTMD5:{
sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 4);
free(buf);
if (verbose)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
if (buffer2 == NULL)
return 3;
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
//send auth and receive challenge
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
sprintf(buffer, "AUTHINFO SASL NTLM %s\r\n", (char*)buf1);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf);
free(buf);
return 3;
}
//recover challenge
from64tobits((char *) buf1, buf + 4);
free(buf);
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "%s\r\n", (char*)buf1);
}
break;
default:{
sprintf(buffer, "AUTHINFO USER %.250s\r\n", login);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
if (buf[0] != '3') {
if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf);
free(buf);
return (3);
}
free(buf);
sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass);
}
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
if (buf[0] == '2') {
hydra_report_found_host(port, ip, "nntp", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
void INDI_E::browseBlob()
{
QFile fp;
QString filename;
QString format;
QDataStream binaryStream;
int data64_size=0, pos=0;
unsigned char *data_file;
KUrl currentURL;
currentURL = KFileDialog::getOpenUrl( QDir::homePath(), "*");
// if user presses cancel
if (currentURL.isEmpty())
return;
if ( currentURL.isValid() )
write_w->setText(currentURL.path());
fp.setFileName(currentURL.path());
if ( (pos = filename.lastIndexOf(".")) != -1)
format = filename.mid (pos, filename.length());
//qDebug() << "Filename is " << fp.fileName() << endl;
if (!fp.open(QIODevice::ReadOnly))
{
KMessageBox::error(0, i18n("Cannot open file %1 for reading", filename));
return;
}
binaryStream.setDevice(&fp);
data_file = new unsigned char[fp.size()];
bp->bloblen = fp.size();
if (data_file == NULL)
{
KMessageBox::error(0, i18n("Not enough memory to load %1", filename));
fp.close();
return;
}
binaryStream.readRawData((char*)data_file, fp.size());
bp->blob = new unsigned char[4*fp.size()/3+4];
if (bp->blob == NULL)
{
KMessageBox::error(0, i18n("Not enough memory to convert file %1 to base64", filename));
fp.close();
}
data64_size = to64frombits ( ((unsigned char *) bp->blob), data_file, fp.size());
delete [] data_file;
bp->size = data64_size;
//qDebug() << "BLOB " << bp->name << " has size of " << bp->size << " and bloblen of " << bp->bloblen << endl;
blobDirty = true;
}
static void SMTP_auth(int sock, char smtp_mode, char *username, char *password, char *buf)
/* ESMTP Authentication support for fetchmail by Wojciech Polak */
{
int c;
char *p = 0;
char b64buf[512];
char tmp[512];
if (!username || !password) return;
memset(b64buf, 0, sizeof(b64buf));
memset(tmp, 0, sizeof(tmp));
if (strstr(buf, "CRAM-MD5")) {
unsigned char digest[16];
memset(digest, 0, sizeof(digest));
if (outlevel >= O_MONITOR)
report(stdout, GT_("ESMTP CRAM-MD5 Authentication...\n"));
SockPrintf(sock, "AUTH CRAM-MD5\r\n");
SockRead(sock, smtp_response, sizeof(smtp_response) - 1);
strlcpy(tmp, smtp_response, sizeof(tmp));
if (strncmp(tmp, "334", 3)) { /* Server rejects AUTH */
SMTP_auth_error(sock, GT_("Server rejected the AUTH command.\n"));
return;
}
p = strchr(tmp, ' ');
p++;
/* (hmh) from64tobits will not NULL-terminate strings! */
if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
SMTP_auth_error(sock, GT_("Bad base64 reply from server.\n"));
return;
}
if (outlevel >= O_DEBUG)
report(stdout, GT_("Challenge decoded: %s\n"), b64buf);
hmac_md5((unsigned char *)password, strlen(password),
(unsigned char *)b64buf, strlen(b64buf), digest, sizeof(digest));
snprintf(tmp, sizeof(tmp),
"%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
username, digest[0], digest[1], digest[2], digest[3],
digest[4], digest[5], digest[6], digest[7], digest[8],
digest[9], digest[10], digest[11], digest[12], digest[13],
digest[14], digest[15]);
to64frombits(b64buf, tmp, strlen(tmp));
SockPrintf(sock, "%s\r\n", b64buf);
SMTP_ok(sock, smtp_mode, TIMEOUT_DEFAULT);
}
else if (strstr(buf, "PLAIN")) {
int len;
if (outlevel >= O_MONITOR)
report(stdout, GT_("ESMTP PLAIN Authentication...\n"));
snprintf(tmp, sizeof(tmp), "^%s^%s", username, password);
len = strlen(tmp);
for (c = len - 1; c >= 0; c--)
{
if (tmp[c] == '^')
tmp[c] = '\0';
}
to64frombits(b64buf, tmp, len);
SockPrintf(sock, "AUTH PLAIN %s\r\n", b64buf);
SMTP_ok(sock, smtp_mode, TIMEOUT_DEFAULT);
}
else if (strstr(buf, "LOGIN")) {
if (outlevel >= O_MONITOR)
report(stdout, GT_("ESMTP LOGIN Authentication...\n"));
SockPrintf(sock, "AUTH LOGIN\r\n");
SockRead(sock, smtp_response, sizeof(smtp_response) - 1);
strlcpy(tmp, smtp_response, sizeof(tmp));
if (strncmp(tmp, "334", 3)) { /* Server rejects AUTH */
SMTP_auth_error(sock, GT_("Server rejected the AUTH command.\n"));
return;
}
p = strchr(tmp, ' ');
p++;
if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
SMTP_auth_error(sock, GT_("Bad base64 reply from server.\n"));
return;
}
to64frombits(b64buf, username, strlen(username));
SockPrintf(sock, "%s\r\n", b64buf);
SockRead(sock, smtp_response, sizeof(smtp_response) - 1);
strlcpy(tmp, smtp_response, sizeof(tmp));
p = strchr(tmp, ' ');
if (!p) {
SMTP_auth_error(sock, GT_("Bad base64 reply from server.\n"));
return;
}
p++;
memset(b64buf, 0, sizeof(b64buf));
if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
SMTP_auth_error(sock, GT_("Bad base64 reply from server.\n"));
return;
}
to64frombits(b64buf, password, strlen(password));
SockPrintf(sock, "%s\r\n", b64buf);
SMTP_ok(sock, smtp_mode, TIMEOUT_DEFAULT);
}
return;
}
int
start_http_proxy_auth_ntlm(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp)
{
char *empty = "";
char *login, *pass, buffer[500];
char url[210], host[30];
char *header = ""; /* XXX TODO */
char *ptr;
//beware of fixed sized buffer, asserts may fail, don't use long strings :)
//Yes, I Know, year 2k6 and still with this shit..
unsigned char buf1[4096];
unsigned char buf2[4096];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
// sprintf(buffer2, "%.50s:%.50s", login, pass);
// hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
if (miscptr == NULL) {
strcpy(url, "http://www.microsoft.com/");
strcpy(host, "Host: www.microsoft.com\r\n");
} else {
sprintf(url, "%.200s", miscptr);
strcpy(host, ""); /* too lazy to parse the URL, me too */
}
//send dummy request
sprintf(buffer, "HEAD %s HTTP/1.0\r\n%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive first 40x
buf = hydra_receive_line(s);
while (strstr(buf, "HTTP") == NULL && buf != NULL)
buf = hydra_receive_line(s);
//send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest*)buf2));
/* to be portable, no snprintf, buffer is big enough so it cant overflow */
//send the first..
sprintf(buffer, "HEAD %s HTTP/1.0\r\n%sAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buf1, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive challenge
buf = hydra_receive_line(s);
while (strstr(buf, "WWW-Authenticate: NTLM ") == NULL && buf != NULL)
buf = hydra_receive_line(s);
//recover challenge
from64tobits((char*)buf1, buf+23);
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge*)buf1,(tSmbNtlmAuthResponse*)buf2,0,login,pass,NULL,NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse*)buf2));
sprintf(buffer, "HEAD %s HTTP/1.0\r\n%sAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buf1, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
buf = hydra_receive_line(s);
while (strstr(buf, "HTTP/1.") == NULL && buf != NULL)
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
/*
while (hydra_data_ready(s) > 0)
recv(s, buffer, sizeof(buf), 0);
buf = hydra_receive_line(s);
*/
ptr = ((char *) index(buf, ' ')) + 1;
if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1')) {
hydra_report_found_host(port, ip, "http-proxy", fp);
hydra_completed_pair_found();
} else {
if (*ptr != '4')
printf("Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass);
hydra_completed_pair();
}
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
/* does both calls*/
int
get_ntlm_page (char *url, char *user, char *password, char *domain,
char *responsebuf)
{
tSmbNtlmAuthRequest request;
char buf[15000], *response;
unsigned char buf2[5000];
unsigned long retval;
int notfin;
memset((char*)&request,0,sizeof(request));
memset(buf,0,sizeof(buf));
memset(buf2,0,sizeof(buf2));
memset(&request,0x00,sizeof(request));
/*first we request to authorize via NTLM */
buildSmbNtlmAuthRequest ((tSmbNtlmAuthRequest *) & request, user, domain);
/*go to base64 - need to integrate this into SPIKE proper */
to64frombits (buf, (unsigned char *) &request, SmbLength (&request));
/*throw that in to NTLM Auth: */
send_ntlm_packet (buf, METHOD);
spike_clear ();
memset(buf,0,sizeof(buf));
printf ("reading server response\n");
/*now we should have gotten a valid response from the server */
notfin = 1;
retval = 1;
response=NULL;
while (retval && notfin)
{
memset (buf, 0x00, sizeof (buf));
notfin = s_fd_wait ();
if (!notfin)
break;
retval = read (our_spike->fd, buf, 2500);
if (retval)
{
/*here we look for the string "WWW-Authenticate: NTLM " followed
* by a base64 encoded value which is deliminated by a \r\n" */
if (response == 0)
{
if ((response = s_scan_for_variable (buf,
"WWW-Authenticate: NTLM ",
"\r\n")) != NULL)
{
/*found our string */
printf ("Found our WWW-auth string\n");
//break;
}
/*printf("%s",buffer); */
}
}
else
{
break;
}
} /*end while read loop */
if (response == NULL)
{
printf ("Couldn't find WWW-Authenticate string!\n");
return (0);
}
/*Grab the NTLM AUTH: response */
from64tobits (buf, response);
buildSmbNtlmAuthResponse ((tSmbNtlmAuthChallenge *) buf,
(tSmbNtlmAuthResponse *) buf2, user, password);
to64frombits (buf, buf2, SmbLength ((tSmbNtlmAuthResponse *) buf2));
/*send that out */
send_ntlm_packet (buf, METHOD);
spike_clear ();
/*now we should have gotten a valid response from the server */
/*hopefully this will have 200 Ok */
responsebuf[0] = 0; /*clear this buffer */
notfin = 1;
retval = 1;
while (retval && notfin)
{
memset (buf, 0x00, sizeof (buf));
notfin = s_fd_wait ();
if (!notfin)
break;
retval = read (our_spike->fd, buf, 2500);
buf[2500] = 0;
if (retval)
{
if (strlen(responsebuf)+strlen(buf)>2500)
return 1;
strcat (responsebuf, buf);
}
} /*end while read loop */
return 1;
}
int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (hydra_data_ready(s) > 0) {
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
free(buf);
}
switch (smtp_auth_mechanism) {
case AUTH_PLAIN:
sprintf(buffer, "AUTH PLAIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP PLAIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
memset(buffer, 0, sizeof(buffer));
sasl_plain(buffer, login, pass);
sprintf(buffer, "%.250s\r\n", buffer);
break;
#ifdef LIBOPENSSLNEW
case AUTH_CRAMMD5:{
int rc = 0;
char *preplogin;
rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
sprintf(buffer, "AUTH CRAM-MD5\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
//get the one-time BASE64 encoded challenge
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 4);
free(buf);
memset(buffer2, 0, sizeof(buffer2));
sasl_cram_md5(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
sprintf(buffer, "%.250s\r\n", buffer);
free(preplogin);
}
break;
case AUTH_DIGESTMD5:{
sprintf(buffer, "AUTH DIGEST-MD5\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP DIGEST-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 4);
free(buf);
if (verbose)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL);
if (buffer2 == NULL)
return 3;
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
//send auth and receive challenge
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
sprintf(buffer, "AUTH NTLM %s\r\n", buf1);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf);
free(buf);
return 3;
}
//recover challenge
from64tobits((char *) buf1, buf + 4);
free(buf);
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
default:
/* by default trying AUTH LOGIN */
sprintf(buffer, "AUTH LOGIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
/* 504 5.7.4 Unrecognized authentication type */
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH, either this auth is disabled\nor server is not using auth: %s\n", buf);
free(buf);
return 3;
}
free(buf);
sprintf(buffer2, "%.250s", login);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH : %s\n", buf);
free(buf);
return (3);
}
free(buf);
sprintf(buffer2, "%.250s", pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
#ifdef LIBOPENSSLNEW
if (smtp_auth_mechanism == AUTH_DIGESTMD5) {
if (strstr(buf, "334") != NULL) {
memset(buffer2, 0, sizeof(buffer2));
from64tobits((char *) buffer2, buf + 4);
if (strstr(buffer2, "rspauth=") != NULL) {
hydra_report_found_host(port, ip, "smtp", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
}
} else
#endif
{
if (strstr(buf, "235") != NULL) {
hydra_report_found_host(port, ip, "smtp", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500], mlogin[260], mpass[260], mhost[260];
char url[260], host[30];
char *header = ""; /* XXX TODO */
char *ptr;
int auth = 0;
login = hydra_get_next_login();
if (login == NULL || strlen(login) == 0 || strstr(login, "://") == NULL) {
hydra_completed_pair();
return 1;
}
pass = hydra_get_next_password();
pass = empty; // ignored
strncpy(url, login, sizeof(url) - 1);
url[sizeof(url) - 1] = 0;
ptr = strstr(login, "://") + 3;
if (ptr[0] == '[')
ptr++;
strncpy(mhost, ptr, sizeof(mhost) - 1);
mhost[sizeof(mhost) - 1] = 0;
if ((ptr = index(mhost, '/')) != NULL)
*ptr = 0;
if ((ptr = index(mhost, ']')) != NULL)
*ptr = 0;
else if ((ptr = index(mhost, ':')) != NULL)
*ptr = 0;
if (miscptr != NULL && index(miscptr, ':') != NULL) {
strncpy(mlogin, miscptr, sizeof(mlogin) - 1);
mlogin[sizeof(mlogin) - 1] = 0;
ptr = index(mlogin, ':');
*ptr++ = 0;
strncpy(mpass, ptr, sizeof(mpass) - 1);
mpass[sizeof(mpass) - 1] = 0;
auth = 1;
}
if (http_proxy_auth_mechanism == AUTH_ERROR) {
//send dummy request
sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, mhost, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive first 40x
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (debug)
hydra_report(stderr, "S:%s\n", buf);
//after the first query we should have been disconnected from web server
s = hydra_disconnect(s);
if ((options & OPTION_SSL) == 0) {
s = hydra_connect_tcp(ip, port);
} else {
s = hydra_connect_ssl(ip, port, hostname);
}
}
if (auth) {
if (hydra_strcasestr(buf, "Proxy-Authenticate: Basic") != NULL) {
http_proxy_auth_mechanism = AUTH_BASIC;
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
free(buf);
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
//if server cut the connection, just exit cleanly or
//this will be an infinite loop
if (buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", buf);
} else {
if (hydra_strcasestr(buf, "Proxy-Authenticate: NTLM") != NULL) {
unsigned char buf1[4096];
unsigned char buf2[4096];
char *pos = NULL;
http_proxy_auth_mechanism = AUTH_NTLM;
//send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
/* to be portable, no snprintf, buffer is big enough so it cant overflow */
//send the first..
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive challenge
free(buf);
buf = hydra_receive_line(s);
while (buf != NULL && (pos = hydra_strcasestr(buf, "Proxy-Authenticate: NTLM ")) == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (pos != NULL) {
char *str;
pos += 25;
if ((str = strchr(pos, '\r')) != NULL) {
pos[str - pos] = 0;
}
if ((str = strchr(pos, '\n')) != NULL) {
pos[str - pos] = 0;
}
}
//recover challenge
if (buf != NULL) {
if (strlen(buf) >= 4)
from64tobits((char *) buf1, pos);
free(buf);
}
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (buf == NULL)
return 1;
} else {
#ifdef LIBOPENSSL
if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) {
char *pbuffer;
http_proxy_auth_mechanism = AUTH_DIGESTMD5;
pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
pbuffer = buffer2;
sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (pbuffer == NULL)
return 3;
if (debug)
hydra_report(stderr, "C:%s\n", buffer2);
if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0)
return 1;
free(buf);
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (debug && buf != NULL)
hydra_report(stderr, "S:%s\n", buf);
if (buf == NULL)
return 1;
} else
#endif
{
if (buf != NULL) {
buf[strlen(buf) - 1] = '\0';
hydra_report(stderr, "Unsupported Auth type:\n%s\n", buf);
} else {
hydra_report(stderr, "Unsupported Auth type\n");
}
return 3;
}
}
}
}
// result analysis
ptr = ((char *) index(buf, ' ')) + 1;
if (*ptr == '2' || (*ptr == '3' && (*(ptr + 2) == '1' || *(ptr + 2) == '2')) || strncmp(ptr, "404", 4) == 0 || strncmp(ptr, "403", 4) == 0) {
hydra_report_found_host(port, ip, "http-proxy", fp);
if (fp != stdout)
fprintf(fp, "[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string(ip), url);
printf("[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string(ip), url);
hydra_completed_pair_found();
} else {
if (strncmp(ptr, "407", 3) == 0 /*|| strncmp(ptr, "401", 3) == 0 */ ) {
hydra_report(stderr, "[ERROR] Proxy reports bad credentials!\n");
return 3;
}
hydra_completed_pair();
}
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
